Mac Developer Library Developer
Search

 

This manual page is for Mac OS X version 10.9

If you are running a different version of Mac OS X, view the documentation locally:

  • In Terminal, using the man(1) command

Reading manual pages

Manual pages are intended as a quick reference for people who already understand a technology.

  • To learn how the manual is organized or to learn about command syntax, read the manual page for manpages(5).

  • For more information about this technology, look for other documentation in the Apple Developer Library.

  • For general information about writing shell scripts, read Shell Scripting Primer.




CHMOD(1)                  BSD General Commands Manual                 CHMOD(1)

NAME
     chmod -- change file modes or Access Control Lists

SYNOPSIS
     chmod [-fv] [-R [-H | -L | -P]] mode file ...
     chmod [-fv] [-R [-H | -L | -P]] [-a | +a | =a] ACE file ...
     chmod [-fhv] [-R [-H | -L | -P]] [-E] file ...
     chmod [-fhv] [-R [-H | -L | -P]] [-C] file ...
     chmod [-fhv] [-R [-H | -L | -P]] [-N] file ...

DESCRIPTION
     The chmod utility modifies the file mode bits of the listed files as specified by the mode operand. It
     may also be used to modify the Access Control Lists (ACLs) associated with the listed files.

     The generic options are as follows:

     -f      Do not display a diagnostic message if chmod could not modify the mode for file.

     -H      If the -R option is specified, symbolic links on the command line are followed.  (Symbolic
             links encountered in the tree traversal are not followed by default.)

     -h      If the file is a symbolic link, change the mode of the link itself rather than the file that
             the link points to.

     -L      If the -R option is specified, all symbolic links are followed.

     -P      If the -R option is specified, no symbolic links are followed.  This is the default.

     -R      Change the modes of the file hierarchies rooted in the files instead of just the files them-selves. themselves.
             selves.

     -v      Cause chmod to be verbose, showing filenames as the mode is modified.  If the -v flag is speci-fied specified
             fied more than once, the old and new modes of the file will also be printed, in both octal and
             symbolic notation.

     The -H, -L and -P options are ignored unless the -R option is specified.  In addition, these options
     override each other and the command's actions are determined by the last one specified.

     Only the owner of a file or the super-user is permitted to change the mode of a file.

DIAGNOSTICS
     The chmod utility exits 0 on success, and >0 if an error occurs.

MODES
     Modes may be absolute or symbolic.  An absolute mode is an octal number constructed from the sum of one
     or more of the following values:

           4000    (the set-user-ID-on-execution bit) Executable files with this bit set will run with
                   effective uid set to the uid of the file owner.  Directories with the set-user-id bit set
                   will force all files and sub-directories created in them to be owned by the directory
                   owner and not by the uid of the creating process, if the underlying file system supports
                   this feature: see chmod(2) and the suiddir option to mount(8).
           2000    (the set-group-ID-on-execution bit) Executable files with this bit set will run with
                   effective gid set to the gid of the file owner.
           1000    (the sticky bit) See chmod(2) and sticky(8).
           0400    Allow read by owner.
           0200    Allow write by owner.
           0100    For files, allow execution by owner.  For directories, allow the owner to search in the
                   directory.
           0040    Allow read by group members.
           0020    Allow write by group members.
           0010    For files, allow execution by group members.  For directories, allow group members to
                   search in the directory.
           0004    Allow read by others.
           0002    Allow write by others.
           0001    For files, allow execution by others.  For directories allow others to search in the
                   directory.

     For example, the absolute mode that permits read, write and execute by the owner, read and execute by
     group members, read and execute by others, and no set-uid or set-gid behaviour is 755
     (400+200+100+040+010+004+001).

     The symbolic mode is described by the following grammar:

           mode         ::= clause [, clause ...]
           clause       ::= [who ...] [action ...] action
           action       ::= op [perm ...]
           who          ::= a | u | g | o
           op           ::= + | - | =
           perm         ::= r | s | t | w | x | X | u | g | o

     The who symbols ``u'', ``g'', and ``o'' specify the user, group, and other parts of the mode bits,
     respectively.  The who symbol ``a'' is equivalent to ``ugo''.

     The perm symbols represent the portions of the mode bits as follows:

           r       The read bits.
           s       The set-user-ID-on-execution and set-group-ID-on-execution bits.
           t       The sticky bit.
           w       The write bits.
           x       The execute/search bits.
           X       The execute/search bits if the file is a directory or any of the execute/search bits are
                   set in the original (unmodified) mode.  Operations with the perm symbol ``X'' are only
                   meaningful in conjunction with the op symbol ``+'', and are ignored in all other cases.
           u       The user permission bits in the original mode of the file.
           g       The group permission bits in the original mode of the file.
           o       The other permission bits in the original mode of the file.

     The op symbols represent the operation performed, as follows:

     +     If no value is supplied for perm, the ``+'' operation has no effect.  If no value is supplied for
           who, each permission bit specified in perm, for which the corresponding bit in the file mode cre-ation creation
           ation mask is clear, is set.  Otherwise, the mode bits represented by the specified who and perm
           values are set.

     -     If no value is supplied for perm, the ``-'' operation has no effect.  If no value is supplied for
           who, each permission bit specified in perm, for which the corresponding bit in the file mode cre-ation creation
           ation mask is clear, is cleared.  Otherwise, the mode bits represented by the specified who and
           perm values are cleared.

     =     The mode bits specified by the who value are cleared, or, if no who value is specified, the
           owner, group and other mode bits are cleared.  Then, if no value is supplied for who, each per-mission permission
           mission bit specified in perm, for which the corresponding bit in the file mode creation mask is
           clear, is set.  Otherwise, the mode bits represented by the specified who and perm values are
           set.

     Each clause specifies one or more operations to be performed on the mode bits, and each operation is
     applied to the mode bits in the order specified.

     Operations upon the other permissions only (specified by the symbol ``o'' by itself), in combination
     with the perm symbols ``s'' or ``t'', are ignored.

EXAMPLES OF VALID MODES
     644           make a file readable by anyone and writable by the owner only.

     go-w          deny write permission to group and others.

     =rw,+X        set the read and write permissions to the usual defaults, but retain any execute permis-sions permissions
                   sions that are currently set.

     +X            make a directory or file searchable/executable by everyone if it is already search-able/executable searchable/executable
                   able/executable by anyone.

     755
     u=rwx,go=rx
     u=rwx,go=u-w  make a file readable/executable by everyone and writable by the owner only.

     go=           clear all mode bits for group and others.

     g=u-w         set the group bits equal to the user bits, but clear the group write bit.

ACL MANIPULATION OPTIONS
     ACLs are manipulated using extensions to the symbolic mode grammar.  Each file has one ACL, containing
     an ordered list of entries.  Each entry refers to a user or group, and grants or denies a set of per-missions. permissions.
     missions.  In cases where a user and a group exist with the same name, the user/group name can be pre-fixed prefixed
     fixed with "user:" or "group:" in order to specify the type of name.

     If the user or group name contains spaces you can use ':' as the delimiter between name and permission.

     The following permissions are applicable to all filesystem objects:
           delete  Delete the item.  Deletion may be granted by either this permission on an object or the
                   delete_child right on the containing directory.
           readattr
                   Read an objects basic attributes.  This is implicitly granted if the object can be looked
                   up and not explicitly denied.
           writeattr
                   Write an object's basic attributes.
           readextattr
                   Read extended attributes.
           writeextattr
                   Write extended attributes.
           readsecurity
                   Read an object's extended security information (ACL).
           writesecurity
                   Write an object's security information (ownership, mode, ACL).
           chown   Change an object's ownership.

     The following permissions are applicable to directories:
           list    List entries.
           search  Look up files by name.
           add_file
                   Add a file.
           add_subdirectory
                   Add a subdirectory.
           delete_child
                   Delete a contained object.  See the file delete permission above.

     The following permissions are applicable to non-directory filesystem objects:
           read    Open for reading.
           write   Open for writing.
           append  Open for writing, but in a fashion that only allows writes into areas of the file not
                   previously written.
           execute
                   Execute the file as a script or program.

     ACL inheritance is controlled with the following permissions words, which may only be applied to direc-tories: directories:
     tories:
           file_inherit
                   Inherit to files.
           directory_inherit
                   Inherit to directories.
           limit_inherit
                   This flag is only relevant to entries inherited by subdirectories; it causes the direc-tory_inherit directory_inherit
                   tory_inherit flag to be cleared in the entry that is inherited, preventing further nested
                   subdirectories from also inheriting the entry.
           only_inherit
                   The entry is inherited by created items but not considered when processing the ACL.

     The ACL manipulation options are as follows:

     +a      The +a mode parses a new ACL entry from the next argument on the commandline and inserts it
             into the canonical location in the ACL. If the supplied entry refers to an identity already
             listed, the two entries are combined.

             Examples
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
              # chmod +a "admin allow write" file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: admin allow write
              # chmod +a "guest deny read" file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: admin allow write
              # chmod +a "admin allow delete" file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: admin allow write,delete
              # chmod +a "User 1:allow:read" file
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: User 1 allow read
                3: admin allow write,delete

             The +a mode strives to maintain correct canonical form for the ACL.
                              local deny
                              local allow
                              inherited deny
                              inherited allow

             By default, chmod adds entries to the top of the local deny and local allow lists. Inherited
             entries are added by using the +ai mode.

             Examples
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: admin allow write,delete
                3: juser inherited deny delete
                4: admin inherited allow delete
                5: backup inherited deny read
                6: admin inherited allow write-security
              # chmod +ai "others allow read" file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: admin allow write,delete
                3: juser inherited deny delete
                4: others inherited allow read
                5: admin inherited allow delete
                6: backup inherited deny read
                7: admin inherited allow write-security

     +a#     When a specific ordering is required, the exact location at which an entry will be inserted is
             specified with the +a# mode.

             Examples
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: admin allow write
              # chmod +a# 2 "others deny read" file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: others deny read
                3: admin allow write

             The +ai# mode may be used to insert inherited entries at a specific location. Note that these
             modes allow non-canonical ACL ordering to be constructed.

     -a      The -a mode is used to delete ACL entries. All entries exactly matching the supplied entry will
             be deleted. If the entry lists a subset of rights granted by an entry, only the rights listed
             are removed. Entries may also be deleted by index using the -a# mode.

             Examples
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: guest deny read
                2: admin allow write,delete
              # chmod -a# 1 file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: admin allow write,delete
              # chmod -a "admin allow write" file1
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: admin allow delete

             Inheritance is not considered when processing the -a mode; rights and entries will be removed
             regardless of their inherited state.

             If the user or group name contains spaces you can use ':' as the delimiter

             Example
              # chmod +a "User 1:allow:read" file

     =a#     Individual entries are rewritten using the =a# mode.

             Examples
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: admin allow delete
              # chmod =a# 1 "admin allow write,chown"
              # ls -le
              -rw-r--r--+ 1 juser  wheel  0 Apr 28 14:06 file1
                owner: juser
                1: admin allow write,chown

             This mode may not be used to add new entries.

     -E      Reads the ACL information from stdin, as a sequential list of ACEs, separated by newlines.  If
             the information parses correctly, the existing information is replaced.

     -C      Returns false if any of the named files have ACLs in non-canonical order.

     -i      Removes the 'inherited' bit from all entries in the named file(s) ACLs.

     -I      Removes all inherited entries from the named file(s) ACL(s).

     -N      Removes the ACL from the named file(s).

COMPATIBILITY
     The -v option is non-standard and its use in scripts is not recommended.

SEE ALSO
     chflags(1), fsaclctl(1), install(1), chmod(2), stat(2), umask(2), fts(3), setmode(3), symlink(7),
     chown(8), mount(8), sticky(8)

STANDARDS
     The chmod utility is expected to be IEEE Std 1003.2 (``POSIX.2'') compatible with the exception of the
     perm symbol ``t'' which is not included in that standard.

HISTORY
     A chmod command appeared in Version 1 AT&T UNIX.

BSD                              July 08, 2004                             BSD

Reporting Problems

The way to report a problem with this manual page depends on the type of problem:

Content errors
Report errors in the content of this documentation with the feedback links below.
Bug reports
Report bugs in the functionality of the described tool or API through Bug Reporter.
Formatting problems
Report formatting mistakes in the online version of these pages with the feedback links below.

Feedback